On Thu, 2024-11-28 at 12:40 -0800, Luis Chamberlain wrote: > On Thu, Nov 28, 2024 at 09:23:57AM +0100, Roberto Sassu wrote: > > On Wed, 2024-11-27 at 11:53 -0800, Luis Chamberlain wrote: > > > On Wed, Nov 27, 2024 at 10:51:11AM +0100, Roberto Sassu wrote: > > > > For eBPF programs we are also in a need for a better way to > > > > measure/appraise them. > > > > > > I am confused now, I was under the impression this "Integrity Digest > > > Cache" is just a special thing for LSMs, and so I was under the > > > impression that kernel_read_file() lsm hook already would take care > > > of eBPF programs. > > > > Yes, the problem is that eBPF programs are transformed in user space > > before they are sent to the kernel: > > > > https://lwn.net/Articles/977394/ > > That issue seems to be orthogonal to your eandeavor though, which just > supplements LSMS, right? Yes, correct, the Integrity Digest Cache would be used to search whatever digest was calculated by LSMs. Thanks Roberto > Anyway, in case this helps: > > The Rust folks faced some slighty related challenges with our CRC > validations for symbols, our CRC are slapped on with genksyms but this > relies on the source code and with Rust the compiler may do final > touches to data. And so DWARF is being used [1]. > > Although I am not sure of the state of eBPF DWARF support, there is also > BTF support [0] and most distros are relying on it to make live introspection > easier, and the output is much smaller. So could DWARF or BTF information > from eBPF programs be used by the verifier in similar way to verify eBPF > programs? > > Note that to support BTF implicates DWARF and the leap of faith for Rust > modversions support is that most distros will support DWARF, and so BTF > can become the norm [2]. > > [0] https://www.kernel.org/doc/html/latest/bpf/btf.html > [1] https://lwn.net/Articles/986892/ > [2] https://lwn.net/Articles/991719/ > > Luis
